Solved

HS323 through an ASA

Posted on 2011-03-07
12
1,695 Views
Last Modified: 2012-08-14
I have a setup as follows

H323 v codec ----- Cisco 877 -----VPN-----(outside) Cisco ASA 5510 (inside) ------- H323 Gateway.

The problem is that the H323 video coded is not registering with the H323 gateway. Other codes which do not go through the firewall register with the Gateway ok.  The Routing, VPN and Connectivity between the two gateways is fine, they can talk to each other on any port on any protocol.

A packet capture on the 877 shows that the codec is sending out H323 register packets. With a show ipsec sa detail you can see the packets are being encrypted as this is currently the only traffic on the link. On the cisco ASA you can see the packets are being decrypted but then they vanish. A packet capture on the inside interface of the firewall shows no traffic from the video codec.

Full debugging on both the ASA and 877 does not show any errors. I have tried having both inspect option hs323 turned on and off for the ASA on the .

Anyone got any ideas on why this traffic would be blocked?



 
0
Comment
Question by:question01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
12 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062022
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35062078
policy-map global_policy
 class inspection_default
  inspect h323
  inspect sip

Would be all that's required, I think.
0
 
LVL 1

Author Comment

by:question01
ID: 35062124
Yes I have tried it with the following config and without.  

policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
 
Makes no difference.

Does the global_policy definatly apply to traffic coming out of a VPN?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 1

Author Comment

by:question01
ID: 35062131
Why would I need SIP?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062180
did you applied the policy the outside interface?
what shows the logs?
0
 
LVL 1

Author Comment

by:question01
ID: 35062297
the global_policy applies to all traffic by default doesn't it?

The only log from the ASA which mentions the codec is

Tear-down local-host outside:10.x.x.x duration: 00:00:00

The 10.x.x.x is the codec. This logs gets created every 10 seconds or so with the duration at 00:00:00
0
 
LVL 1

Author Comment

by:question01
ID: 35062604
Canberra-ASA# show service-policy inspect h323 h225

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection
Canberra-ASA# show service-policy inspect h323 ras

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35066334
it shows that the inspection not recognized the h323 packets...
0
 
LVL 1

Author Comment

by:question01
ID: 35075006
yes it looks that way. So why would it not be inspecting the h323 packets?

does the global policy apply to traffic coming out of a vpn?

0
 
LVL 1

Accepted Solution

by:
question01 earned 0 total points
ID: 35089993
After a reboot of the firewall problem is resolved. Not sure what was causing the problem but the VPN was playing up with some strange errors.

0
 
LVL 1

Author Closing Comment

by:question01
ID: 35126460
reboot fixed it.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35129291
glad you got that resolved.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question